Subject: Re: nfs optimization and veriexec
To: YAMAMOTO Takashi <>
From: Elad Efrat <>
List: tech-security
Date: 11/13/2007 09:21:51
YAMAMOTO Takashi wrote:

> for long term, i want to remove "lookup before create" from vfs.
> so i hope to see the assumption is removed from veriexec, rather than
> making the rest of kernel veriexec-aware.

So it's not just an *NFS* optimization, is it? :)

Basically, Veriexec has a feature where it can prevent creation of new
files. I'd like to maintain that feature... or at least learn more about
what benefits this optimization has if the direction is that the two
can't co-exist.

Would it be possible to have Veriexec treat a "create unless exists" as
"create"? or would that break programs that open, say, log files with